A new study has tossed the big browsers into the security mosh pit and decreed that Google’s Chrome comes in first, Microsoft’s Internet Explorer pulls in at a close second, and Mozilla Firefox is bleeding a bit like a stuck pig.

The study, released Friday by Accuvant Labs, found that Firefox has four “unimplemented or ineffective” security services: sandboxing, plug-in security, IT hardening and URL blacklisting (the last of which all three browsers flunked).

The browser comparison found that IE has, in fact, sandboxing and plug-in security, but it’s just plain old “implemented,” in Accuvant’s eyes, as opposed to being an “industry standard,” which is the star billing Chrome gets for all services (except the aforementioned URL blacklisting).

Here’s Accuvant’s conclusion:

The URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art antiexploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.

Accuvant measured anti-exploitation techniques as opposed to the historical practice of tabulating vulnerabilities or assessing how speedily they get patched. After all, as Accuvant puts it, it’s hard to know, exactly, how long a browser hole lets the wind in, given that vendors don’t necessarily go around blabbing about fix timelines:

While Accuvant LABS did not approach Microsoft for internal statistics on privately identified
vulnerabilities and vulnerabilities with undisclosed remediation timelines, it is likely that these statistics exist, and could open the door for an unambiguous debate about each project’s true response time.

Caveat emptor: Accuvant says the study was independently and objectively assessed, but it was, in fact, funded by Google.

Every browser maker is apt to measure their baby and declare that it’s the prettiest thing since Shirley Temple.

Case in point: in Microsoft’s own estimation, IE 9 has the best protection against phishing attacks and the most protection against socially engineered malware of the three most popular browsers.

Besides, as Sophos’s Carole Theriault points out, the real issue isn’t which browser you use; it’s more about whether your browser is up to date and how you’ve configured its security options.

As Carole said in her Update Your Parents’ Browser Day post, people tend to stick like glue to the browsers they know and love.

Confound it to tarnation, they ain’t gonna change to some fancy-pants new browser. Their old version of fill-in-the-blank works just fine, and they do not like change, nosiree.

And dagnabit, I can’t make fun of them because I am one of them: My ears got hot when I saw the dissing dished out to my beloved Firefox.

I switched to Chrome recently not because of security fears but because Mozilla’s update servers are getting hung up, its image consistently was corrupted when I tried to reinstall, and I just didn’t have time to troubleshoot the whole mess.

To go back to Carole’s point, security can be improved vastly simply by keeping a given browser up to date, without rocking the boat on an individual’s personal preference for browser maker.

Prejudice toward an outdated version of a given browser, however, is inexcusable. Outdated browsers are still out there, roaming the world at a baffling rate.

IE 6, for example, held 4.63% of worldwide browser usage as of February 2011. IE is, of course, the whipping boy in this scenario, but with just cause. If you look at Security Focus and Secunia’s comparison of unpatched vulnerabilities, IE versions 6 through 8 spread unpatched vulnerabilities across the table like a nasty rash.

The upshot: Don’t flee from Firefox or IE because of a report like this one.

Post navigation

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.

Well yea, of course—that's why I pointed to Microsoft's own chart showing that IE 9 is the most secure of the bunch. You've got to take these reports with a grain of salt. And stop right there, commenters who will inevitably ask "then why did you bother reporting on the study?" The joy of blogging is being able to pick up on one of the headlines of the day and throw in a bit of perspective, THAT'S why. Just one of so many joys of the blogging life: venting!

I've given up using Google Chrome on my iMac (running OS x Lion), because it keeps crashing. Reports go off automatically to Apple, but the problem remains.
So I'm using Firefox and Safari (latest versions) again.

Right, for whatever reason, studies of this type tend to stick to the top 3 browsers. It would be interesting to see Safari and Opera thrown into the mix. Gee, I wonder which browser would come out on top if Apple funded a study that included Safari…. hmmm….. !

Opera has worst url filtering and has no JIT hardening or sandboxing so it would be tied with Firefox. However, from a practical standpoint you are the safest b/c no hacker is going to spend his time coding for a 2 percent browser in the English speaking web.

If you were on the Eastern European web, then you would be vulnerable as any other browser or more b/c Opera has very respectable market share there.

Excellent critique! And thanks for pointing out that Google's funding of the "study" is rather like the makers of Crest toothpaste stating that their product has been found to be better than those of other makers or that "3-out-of-4 Dentists surveyed" recommend it. A pre-survey is always useful in dettermining whom to exclude when the "real survey" is taken. I'm always leery of any result obtained from "investigations" funded by an interested party but that information is frequently hard to ferret out.

Accuvant has got it wrong. Internet Explorer is the least secure browser for two fundamental reasons.

1. It has a larger attack surface especially with ActiveX enabled.
2. It is embedded in the operating system. Therefore a compromise of the browser is a potential compromise of the operating system as well.
This is just the way it is. I have raised these concerns with Microsoft in the past and have never heard back from them.

I absolutely agree it is very important to keep up with the latest version, one reason I like Chrome is it keeps updating automatically. I'm now on version 15 and haven't seen any upgrading.

I have to agree, it's nice to read headlines about Google fixing a bunch of Chrome vulnerabilities and then have the process happen automatically. I just miss Firefox because of familiarity, and also because open-source gives me that warm populist glow. But then again, with Firefox mostly funded by Google, does it actually deserve that warm fuzz? If, in fact, Google keeps funding it… last thing I heard, it was a subject about which Mozilla is being a bit terse…

Keeping your software up to date is basic. I know many people don't do it for a variety of reasons. Still get contact with people using Apple OS 9. What about Apple Safari? How does that hold up in the browser lineup?

I wish my job would see it that way about the old browsers. It's driving us nuts. They're stuck on IE 7 (our office did have IE 6 until we complained!) because it takes so long to test when a new browser is updated that basically an even newer version comes out before they're done. Do they not understand that the longer we hang out with the old version, the more vulnerable we are?? And they're testing to make sure it's compatible with all the computers? Please. There's probably something they aren't telling us. The truth of the matter is, the browser is so out-dated, a lot of the stuff we browse barely works on them anymore. (Not to mention I can't even get on google +). The place I work is a huge Healthcare organization that, when we switch to a new browser, would probably get implemented across the country, so they do need to be cautious, but not to the point of security vulnerabilities. Personally, I use Chrome. Have for about 6 months and will never go back to that bloated and slow IE.

Using a NAC to survey our users, I recently discovered that we still have a couple of users with Firefox 2 installed. Firefox isn't officially supported and only technology users are allowed to install it in the first place, but version 2? Really?

I switched back to IE 9 with all of the bells and whistles. I also have Paid Versions of Malwarebytes and Avast security. I haven't had anything come through that one or the other software's haven't caught and stopped it dead in it's tracks. I am always on the vigilant stance as I don't trust anybody or anything from the Cloud Crap at all. I use through-away emails from online too. I find if something happens to their server I have a new one signed up just as soon as I here about a leak!